I already have a working public app which performs the initial Auth0 installation flow, and the shops offline access token is stored in my database. I also have a working proxy which sends calls from storefront to my server, and I can successfully verify the Shopify generated signature coming from the proxy, and retrieve the corresponding shops access token to make requests to the Admin API.
Now I want to make calls from my embedded app to my server and then to the Shopify Admin API. The only difference between this process and the process from a storefront is that on the storefront I have to use a proxy, which adds a signature onto my request so that I can perform HMAC verification.
Should I do a similar process when making calls from my embedded application, and if so how?
I followed a Node.js and React tutorial in part to get to where I am, and as I have it working, my embedded app already has access my apps' API_KEY and SHOP_ORIGIN. So I technically could simply send a POST request to my server from the embedded app, sending the SHOP_ORIGIN, then in my server query my database for the corresponding shops offline_token, and with that make a call to the Admin API. However it feels like I'm skipping some sort of a verification step (like the signature for app proxies). In order for this to work I need an endpoint on my server which just takes a SHOP_ORIGIN and can make any Admin API request with only that, in which case why do I even need to verify signatures for an app proxy?
- Generate an online access token everytime an embedded app is created and use that instead of the offline access token (since I have access to my apps' API_KEY in my embedded app)?